Article 29 Working Party Releases 12th Annual Report
The Article 29 Working Party, a group created under the EU Data Protection Directive and made up of the data protection regulators of each Member State to provide guidance on data protection and privacy issues, has released its 12th Annual Report. The Chairman, Alex Turk, states that the four main issues of the year were protection of children’s personal data, search engines and the large of amounts of data they gather, international transfer of personal data with emphasis on the use of Binding Corporate Rules, and air passenger name records. Overall, Enforcement by the DPAs appears to have increased compared to the previous year.
The report serves as a summary of all EU DPAs’ reports on the implementation of the EU Data Protection Directive, the E-Privacy Directive, major case law, and major specific issues. The following are some of the interesting tidbits from the Annual Report.
The Austrian DPA found that a whistle-blower hotline of a US multinational required that the Austrian subsidiary be considered a data controller. The Austrian DPA held that data transfers by the employees would be imputed to the employer because the employer’s Code of Conduct required its employees to report illegal or unethical activity.
The Danish DPA highlighted the case of a nightclub that wanted to create an electronic access control system that used fingerprints, photos, and black lists of unwanted customers who would be rejected at the door. The DPA allowed the database so long as customers gave explicit consent and data was deleted after consent was withdrawn.
The French DPA, CNIL, stated that it had been in session 50 times and adopted 586 resolutions during the year, an increase of 50% compared to previous year. CNIL also handled 4,244 complaints during the year. It conducted 218 inspections, “an increase of 33 % compared to the previous year.” The DPA imposed fines ranging between $30,000 to $100. CNIL also issued 126 warnings, an increase of 20% compared to the previous year.
The Dutch DPA greatly increased its enforcement activity compared to the previous years. It carried out 95 investigations, an increase of 50% compared to the previous year, and imposed sanctions or threatened to impose sanctions on 68 cases, compared to 39 in the previous year and 2 the year before.
The Spanish DPA, AEPD, was just as active as it was in the previous year. The DPA did not disclose how much money it collected in fines; however, it reported a sharp increase in reported offences. AEPD continued to focus on telecommunications, financial institutions, and video surveillance issues during its investigations. In fact, the financial sector and the telecommunications sector made up the top two spots for fines imposed during the year. The Spanish DPA has also been increasing its activities in the international arena. In addition, AEPD is taking larger leadership role in the Ibero-American Network for Data Protection. During the 31st International Data and Privacy Protection Conference, AEPD made a “Joint Proposal to Draft International Standards for Protection of Privacy and Personal Data” that was unanimously adopted. AEPD is now in charge of developing international standards for the protection of privacy with regard to processing of personal information.
You may read our blog post on the previous year’s report here.